Managing project and contract

risks
Cristina Serban – Manager
Advisory Services

Iasi, 22 October 2009

Session overview

Contract Risks Project Risks

► A shift towards Extended ► Project Risk Reporting vs.
Enterprise Model Enterprise Risk Reporting
► Contract life cycle and related ► Levels of reporting project risks
risks ► Project team
► How are contract risks ► Project management
managed?
► Project Steering Committee
► The role of internal audit
► Common mistakes
► Managing contract risks –
challenges
► Managing contract risks -
benefits

22 October 2009 Page 2 Managing contract and project risks

What is “Risk”?

The threat that an event, action or inaction will

adversely affect an organization's ability to achieve
RISK it’s business objectives.
In other words, risk is anything that could jeopardize
the achievement of an objective.

impact

HOW IS THE
and
RISK MEASURED?
likelihood.

22 October 2009 Page 3 Managing contract and project risks

Contract Risks
A shift towards Extended Enterprise Model

► Businesses can rarely “go it alone” - greater reliance on

external partners to perform core business processes
► Outsourcing of non-core (and in some cases core) processes (supply
chain, channel to market, etc)
► Product & services marketed through alliances and joint development
arrangements (patents, copyrights, and trademarks)
► Growing interest of procurement/sourcing departments to identify ways to
drive cost savings and maximize business relationships

► These relationships result in increased number and

complexity of contracts

Result = changed risk profile for many organizations

22 October 2009 Page 5 Managing contract and project risks

Contract Life Cycle & Related Risks

Contract Life Cycle

Relationship
Sourcing Administration
management

- Planning - Execution - Reporting

- Selection - Compliance - Filing
- Commitment - Issue Resolution - Amendments

► Risks around sourcing are typically managed through strong controls

► Not always a similar focus on risks associated with subsequent

contract administration and relationship management

22 October 2009 Page 6 Managing contract and project risks

Contract risks are real!

“…48% of 140 financial executives did not

consider their controls over contract risk to
be effective…..”
Ernst & Young UK Survey (Dec. 2006)

Contract risks represent a major risk management and internal audit “blind spot” for many
companies. More efficient and effective contract processes and controls also represent an
important way for companies to “make their business better.”

22 October 2009 Page 7 Managing contract and project risks

How are contract risks managed?

Reconsider your point of view…

Have you established and implemented a

CONTRACT RISK FRAMEWORK

of regular assessment
OR and monitoring
of contractual
Are you managing arrangements?
contract risk based on

TRUST?

22 October 2009 Page 8 Managing contract and project risks

What are the elements of a Contract Risk
Framework?

Contract Risk Monitoring

Improvements Communicate Results
Assessment Procedures

• Inventory contracts • Assist • Compliance • Compliance and

portfolio management in validation monetary findings
improvement procedures
• Third Party/ implementation • Process and control
contract risk profile • Data extraction improvement
• Compare controls and analysis recommendations
• Areas of focus for and processes to
monitoring leading practices • Trend analysis
procedures
• Industry analysis

22 October 2009 Page 9 Managing contract and project risks

Has Internal Audit a role?

► Significant risk area for many companies

► Internal audit coverage depends on company’s approach
to managing contract risk
► Review operation of framework
► Embed framework within internal audit planning and risk
assessment cycle

22 October 2009 Page 10 Managing contract and project risks

Managing Contract Risks
Challenges

► Understanding your own company’s contract risk profile

► Managing the 3rd party relationship
► Right to audit
► Access to information
► Culture / geographical factors
► Managing confidentiality risk
► Communication protocols (internal/external)
► Negotiation of audit findings

22 October 2009 Page 11 Managing contract and project risks

Managing Contract Risks
Benefits

For the company For the contract partners

ü Direct and tangible cost savings/revenue ü Opportunity to assess their own processes
recovery and controls

ü Assurance regarding the adequacy and ü Understand the nature and risks within the
effectiveness of partners controls contract

ü Identification of marginal performance by ü Identification of ways to improve the economy

partners and efficiency of operations

ü Clear and quantifiable measurement system ü Improve transparency of your company’s

that is linked to risk assessments and critical expectations with regard to internal controls
success factors
ü Common issues in business channel
ü Allows for benchmarking of partners communicated to all partners

22 October 2009 Page 12 Managing contract and project risks

In summary

►Contract risks – an increasingly important element of all

companies’ risk profile
►Historically not a focus area for management
►Traditionally an internal audit blind spot

If the Audit Committee Chair asks how Internal Audit

covered 3rd Party arrangements in the Internal Audit Plan,
Is this covered?

22 October 2009 Page 13 Managing contract and project risks

Project Risks
Project Risk Reporting vs.
Enterprise Risk Reporting
Project Risk Reporting
Information Timeframe and scope considerations will
Driver drive project reporting
Audience Team Management, Project Management,
Steering Committee (sometimes others
depending on project type – i.e. SOX,
BASEL)
Risk Project risk categories usually mirror team
Categories structure, mapping to functional delivery
area and therefore project deliverables:
Change Management, Integration, Program
Management, Infrastructure, Testing
22 October 2009 Page 15 Managing contract and project risks
Enterprise Risk Reporting
Increasing stakeholder value drives
enterprise reporting
Line management, Executive Management,
Board and Board Committees
Enterprise risk categories mirror
organisational structure and focus on
business activities:
Financial reporting, supply chain
management, business planning process
Project Risk Reporting – Example escalation

ü Progress on key High to Critical risks

Steering Committee ü Risks not resolvable within the project
and/or without assistance from the business

ü Medium to Critical Risks – project wide,

Project Management focus on High and Critical
ü Unable to be resolved in teams

ü All risks applicable to team, including those

Project Team
owned by the team and interdependencies
ü Low risks should be resolved in team

22 October 2009 Page 16 Managing contract and project risks

Project Team Risk Reporting

Purpose Considerations

► A way for team leads to stay on ► Centralised reporting (through a

top of risks for their team and
risks that they need to work
with other teams on
(interdependencies)
► A prompt for teams to think
about new risks – most risks
will come from the team level
on projects
REPORTING
PMO) ensures that risks are
presented to teams
► Team reporting is most
effective when reports coincide
PROJECT with weekly team meetings
TEAM
RISK ► The Team Lead should be
encouraged to share project
management and Steering
Committee reports with their
teams to give team members a
view of the “big picture”

22 October 2009 Page 17 Managing contract and project risks

Project Team Risk Reporting
Example
ü Typically,project team reporting is an extract from the risk register of risks
raised as being the responsibility of the team.

ü The key items needed for regular monitoring of risks are included in the
example chart headings below. There is no need in regular team meetings to
evaluate risks unless new risks are raised. There should be specific sessions
scheduled for this purpose.

ü Teams should use these reports as a tool for their project planning and tracking
process by incorporating mitigation plans into their project plans.

Headings for team level risk register extract

Mitigation Plan and
Category Description Owner Risk Rating
Progress

22 October 2009 Page 18 Managing contract and project risks

Project Management Risk Reporting
Purpose
► Project Management is all about
prioritizing activities to deliver the
project. Risk reports help project
managers focus on areas that need
the most attention.
► Helps facilitates the decision-making
process across the project, taking
interdependencies into account
MANAGEMENT
► To provide a regular check that the
risk management process is working
► To encourage accountability for risk
management
22 October 2009 Page 19 Managing contract and project risks
Considerations
► Running through even Med to
Critical risks can be very time-
consuming. It may be most
appropriate to do the full list monthly
and only high and critical risks at
weekly/fortnightly meetings.
► Accountability is critical to ensure
PROJECT actions are taken. If the “risk owner”
doesn’t sit on the project
RISK management team, the risk will then
REPORTING need to be spoken about by the risk
owner’s management representative.
► Project Managers need to be
encouraged to refrain from changing
the risk rating in regular meetings.
Separate risk workshops should be
scheduled at regular stages in the
project for this activity.
 Project Management Risk Reporting
Example
6

9
4 2
Risk Map to be used as a starting point for
3
12
4
4

understanding the key risks for discussion

13
Likelihood

3 8 5
6
11
3
16
15
2 17 1
14 7
10
18
2

y
li v e r
1

u tio n

t De
1
1 1 2 2 3 3 4 4 5 5 6
Cross-reference to deliverables to focus on

E xec

M gm
Consequence

deliverables at risk and risks impacting

Test
BPP

P ro j
Human Resources pulled back into the business at short notice X X X multiple deliverables.
Lack of business buy-in X
Resources required for testing are not available X

Risk register extract prioritised by risk

rating

22 October 2009 Page 20 Managing contract and project risks

Project Steering Committee Risk Reporting

Purpose Considerations

► To escalate risks requiring ► Short list of key risk areas only

cross-organizational – this relies on effective risk
discussions, decisions, and management identification,
involvement; and evaluation, and recording within
the project itself.
► To provide information on the
mitigation progress for critical PROJECT ► Brief outline of risk description
risks facing the project. STEERING and current mitigation plan and
COMMITTEE progress
RISK
REPORTING
► Where Steering Committee
assistance is required, this
should be stated specifically,
and action items tracked as
part of the mitigation plan.

22 October 2009 Page 21 Managing contract and project risks

Project Steering Committee Risk Reporting
Example
Visual – to draw attention to the key area of risk – sample chart:

Aug-05 This maps the total impact and probability ratings

Change Management
Sep-05
60 across all risks (or a subset of risks) in a category.
Oct-05
Larger deviation from the centre indicates where
40
biggest risk is. This can then be used to prioritise
Program Management
- Resourcing
20 Testing areas of risk for reporting to the Steering
0 Committee.

Note the changes over time: Change Management

Program Management
Infrastructure
is decreasing, potentially due to increased attention
- Finance
to mitigation, while Resourcing is increasing.

Words - summary to support the visual (not the risk register) – sample structure:

Risk Area/ Category Brief Description Owner Mitigation Plan STC Action/Decision

Program Management –
Resourcing

Change Management

22 October 2009 Page 22 Managing contract and project risks

Common mistakes

► Project risk information fails to include risks that will impact on the business.
This often contributes to a disconnect between the project and the business
and can result in surprises late in implementation.
► Isolatedrisk reporting can result in a lack of connection between the risk and its
impact on deliverables, timing, budget, and resources.
► Having no criteria in place to determine which risks get raised to which level
often results in an extensive lists of un-prioritised risks, many inappropriate to
discuss in the forum presented (i.e. program management meeting or steering
committee meeting).
► Using number of risks raised and closed is a misleading measure as its difficult
to understand the weighting of the risks and enforces a culture of risk resolution
rather than risk mitigation.
► Risks should never be reported as “closed” unless the probability can be rated
as zero (i.e. the contributing factors no longer exist). This is linked to a lack of
differentiation between a “risk” and an “issue”.

22 October 2009 Page 23 Managing contract and project risks

Thank you!